The Health Insurance Portability and Accountability Act (HIPAA), requires health care organizations to protect the integrity, privacy, and security of protected health information (PHI) and electronically protected health information (ePHI).
Health organizations that fail to comply with HIPAA (non-compliant Covered Entities (CE’s), risk receiving hefty fines from the Office of Civil Rights (OCR). HIPAA regulations govern entities that include large and small health organizations, and Business Associates of healthcare organizations.
In this HIPAA checklist, you will discover the fundamental components of HIPAA regulation that you need to comply with, as a Covered Entity.
Summary – HIPAA Compliance
- Privacy Rule
- Security Rule
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
HIPAA Compliance – Privacy Rule
- The privacy rule gives a patient the primary right to own their health information. It also gives certain limitations and conditions to healthcare providers, healthcare clearinghouses, and healthcare plans, on how to use and disclose PHI physically or electronically.
- When handling PHI and ePHI, to comply with the Privacy Rule you should do the following:
- Write policies, procedures, and standards of conduct, which employees must follow when they handle patients’ PHI and ePHI. Moreover, educate employees on the penalties they may face if they violate them.
- Write updated Business Associate (BA) agreements that protect your firm from HIPAA breaches, when transacting with healthcare BA. Your BA must agree to them and sign them.
- Use physical, administrative, and technical safeguards to PHI data and its disclosure.
- Have procedures patients can use to file HIPAA compliance complaints, and inform them that their complaints can be forwarded to Health and Human Services (HHS).
- Your organization cannot retaliate against patients for exercising their rights of Privacy Rule. Moreover, your organization cannot require patients to waive their Privacy Rule rights, in order to obtain treatment, enrollment, or payment.
- All administrative documents such as complaints, remediation plans, privacy practice notices, and privacy policies should be stored and made accessible for six years, from their date of creation.
- Appoint a dedicated privacy officer to implement the rest of the privacy policies.
HIPAA Compliance – Security Rule
The HIPAA Security Rule lists measures organizations can use to prevent leaks and compromises when creating, sharing, storing or disposing of ePHI. The security rule guarantees the safety of PHI, as technology evolves to make access to information increasingly easy.
Understanding the security rule is important if you use cloud computing, share documents remotely or online, or receive ePHI data via online forms. Read on to discover how to comply with the three aspects of the HIPAA Security Rule.
HIPAA Security Rule – Administrative Safeguards and Standards
1. Security Management Process
- Carry out Risk Analysis to assess the possibility of ePHI leaks.
- Implement Risk Management measures to check whether ePHI breaches can occur
- Extend Sanction Policies to employees who do not follow ePHI policies and procedures.
- Use Information System Activity Logs to monitor system activity frequently.
2. Assigned Security Responsibility
- Have a dedicated employee who can develop, maintain, and monitor procedures and policies that secure ePHI.
3. Workforce Security
- No employee should handle ePHI without Authorization and Supervision.
- Use Workforce Clearance Procedures to decide who gets access to ePHI, and who does not.
- Through Termination Procedures, ensure employees who previously had access to ePHI, can no longer access them.
4. Information Access Management
- If a clearinghouse is part of a larger firm, its Access to ePHI should be isolated.
- You should only grant ePHI access to employees whose roles require access to ePHI.
- You should have strict rules that govern how access to ePHI is established, granted, or modified.
5. Security Awareness and Training
- Send out security reminders on a regular basis.
- Use anti-malware systems to prevent ePHI compromise attacks.
- Continuously monitor login access for unauthorized access.
- Use a password management system to create, update, and protect employees’ ePHI access passwords.
6. Handling Security Incidents
- Use Response and Reporting procedures to manage ePHI breaches and their effects.
7. Contingency Plan
- Install a data backup and recovery system and plan for use in case of ePHI compromise or loss.
- Have disaster recovery mechanisms to ensure full ePHI recovery in case of a disaster.
- Establish an emergency mode of operation, which employees can use to securely access and use ePHI during emergencies.
- Test and revise contingency procedures periodically to check for flaws and faults.
- Use Applications and Data Criticality Analysis to streamline contingency plans.
- Evaluate the technical and non-technical security aspects of ePHI when changing operations or shifting locations.
9. Business Associates (BAs) Agreements and Other Arrangements
- Indicate all your business contracts and agreements that Bas has to agree to abide by ePHI security standards and regulations.
HIPAA Security Rule: Physical Safeguards and Standards
You should use Physical Safeguards to guide you when creating policies and procedures used to protect electronic systems used to store, manage, and access ePHI. Physical Safeguards protect those systems from physical threats, unauthorized access, and environmental hazards.
Document the Physical Safeguards and Standards, and make the documentation available to all employees, so that they can know on which steps to take, to protect, and uphold the confidentiality of patient information.
1. Facility Access Control
- Establish contingency operation access plans and procedures to enable access to the physical office during disasters and emergencies.
- Create a security plan for the facility housing ePHI equipment, to protect the ePHI equipment from theft and other forms of unauthorized access.
- Use Access Control and Authentication steps to determine how, when, and who is granted access to the ePHI equipment.
- Document all modifications to the physical facility housing the ePHI equipment, in the Maintenance Records.
2. Use of Workstations
- Have workstation policies that dictate the physical attributes, performance, and usage of ePHI workstations and equipment.
3. Workstation Security
- Have a workstation physical security policy that specifies who has physical access to workstations and equipment, from where ePHI is accessed.
4. Media and Device Controls
- Strictly manage the disposal of devices and media used to access or store ePHI.
- Have media and device control policies that administrators must use to determine when and how to remove ePHI from electronic media and equipment, for them to be re-used elsewhere.
- Account for all hardware and equipment used to access ePHI, and track their location when necessary.
- The data backup and procedures must create the exact copies of ePHI, and do it every time there are updates.
HIPAA Security Rule: Technical Safeguards
The third component of the Security Rule is the Technical safeguard. These are written and accessible policies and procedures used to monitor user access to ePHI storage systems.
1. Access Control
- Provide employees with unique identifiers such as Usernames or IDs, which can be used to track their access and usage of ePHI systems.
- Have procedures that state emergency access protocols and authorization, during emergencies.
- All ePHI storage systems must have an Automatic Log-Off Function after a short period of inactivity.
- Ensure all ePHI storage systems must have in-built encryption and decryption systems.
2. Audit Controls
- Use Audit Controls to monitor, record, and store ePHI access and system usage.
- The ePHI system must have an inbuilt Authentication Mechanism that prevents access, alteration, and destruction of ePHI without authorization.
4. Entity and Person Authentication
- Use Entity and Person Authentication, to authorize access to specific data and ePHI, for selected employees and users.
5. Transmission Security
- When electronically transmitting ePHI, use Integrity Controls to prevent intermediary attacks during transmission.
- Encrypt any ePHI during transmission and storage.
Conclusion – HIPAA Compliance Checklist
Complying with HIPAA Regulations is important to avoid hefty fines during HIPAA audits. Moreover, following the above safety practices denies malicious agents easy access to your HIPAA systems. We hope that you found this guide to be helpful, and easy to implement.